All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Guidance for using Splunk Apps while restricting access to data per department

cyndiback
Path Finder
‎10-30-2013 08:00 AM

Looking for best practices/guidance

Our organization has several departments. Each department maintains their own Windows/Unix servers. Forwarders (mixture of universal/heavy) are installed on each server. We have a single Splunk instance (indexer and search head to same machine). We have a requirement that each department should only see data generated by their equipment. We would like to use the Splunk Windows and Linux apps. We have been restricting access by index but these apps use index=os by default.

What is the best approach for deploying the apps while restricting access to the data per department?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gfuente
Motivator
‎10-30-2013 08:06 AM

Hello

You need to segregate the data by index. So you would need to modify all your inputs.conf to include a departament specific index, lets say: index= osdepartment1. But you could keep the sourcetypes

And then in the *nix app or window app, remove all index references from the search strings, so it will retrieve data from all indexes that contain the specified sourcetype.

Then, you only need to give access to users to their respective index, and they will only see the data from their department

Regards

View solution in original post

Reply
Solved! Jump to solution
Solution

gfuente
Motivator
‎10-30-2013 08:06 AM

Hello

You need to segregate the data by index. So you would need to modify all your inputs.conf to include a departament specific index, lets say: index= osdepartment1. But you could keep the sourcetypes

And then in the *nix app or window app, remove all index references from the search strings, so it will retrieve data from all indexes that contain the specified sourcetype.

Then, you only need to give access to users to their respective index, and they will only see the data from their department

Regards

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...